Need Basic NAT Config example.

Answered Question
Nov 6th, 2008

I need a working sample config based on these simple details:


Outside 172.16.1.2 255.255.255.0 level 0

Inside 192.168.0.3 255.255.255.0 level 100

DMZ 192.168.154.1 255.255.255.0 level 50


Web1 172.16.1.7 need to map to DMZ 192.168.154.7 smtp, https

Web2 172.16.1.24 need to map to inside 192.168.0.4 DNS https


1. I would like the inside network to be able to reach any server in the DMZ any service. Also be able to reach the web pages.

2. I would like the DMZ to pass only limted information like port http but I can build from any rule that works.


3.I would like to be able to browse the internet from the DMZ and inside.


I will rate high on any working configurations. I will rate each unique example using varied Nat types.



Correct Answer by John Blakley about 8 years 3 months ago

You have an acl:


access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0


But you're not allowing traffic back in:


permit ip 192.168.0.0 255.255.255.0 any


If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all.


HTH


--John

Correct Answer by Jon Marshall about 8 years 3 months ago

John


static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255

static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255


static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255

static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255


1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0


You don't need an acl because it is going from inside to DMZ


2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80


This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.


3) nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.154.0 255.255.255.0

global (outside) 1 interface

Again you don't need acl because you are going from higher to lower security level interfaces.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 11/06/2008 - 13:55

John


static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255

static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255


static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255

static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255


1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0


You don't need an acl because it is going from inside to DMZ


2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80


This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.


3) nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.154.0 255.255.255.0

global (outside) 1 interface

Again you don't need acl because you are going from higher to lower security level interfaces.


Jon

John.OuYang Fri, 11/07/2008 - 09:26

This doesn't appear to be working. Can you create a show running-config that I can build from?

Jon Marshall Fri, 11/07/2008 - 09:34

John


Could you be a bit more specific - which bits work and which don't. If none of it works then can you check basics such as both interfaces are up etc.


Jon

John.OuYang Fri, 11/07/2008 - 11:54

I am unable to pass any traffic to the DMZ from the inside. I can't pass any traffic from the DMZ to the inside...on specific ports and open to any. All interfaces are up.

I cl xlate

I wonder if the default from a higher security to a lower security rules are working.

All I can do is browse the internet.


I guess I could try another asa 5510.

I do appreciate the help.



husycisco Fri, 11/07/2008 - 12:11

Hello John,

Please post your running config and let us advise on config


Regards

John.OuYang Mon, 11/10/2008 - 13:13

Here is a copy of the running config on the asa5510. I built it based on the information Jon provided. No traffic is passing. I expected to be able to RDP or reach the c drive of server in the dmz from an inside PC.


John



risenshine4th Wed, 11/12/2008 - 12:45

I've started over several times. I seem to be getting back to the same place...

Can browse internet from DMZ or Inside PC's

I just can't seem to pass any traffic between them.


I even put all interfaces in one pool to allow access to allow dynamic translation to the dmz and outside...translation from the dmz to inside and outside interface pools.


What am I missing?



Correct Answer
John Blakley Wed, 11/12/2008 - 14:11

You have an acl:


access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0


But you're not allowing traffic back in:


permit ip 192.168.0.0 255.255.255.0 any


If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all.


HTH


--John

John.OuYang Fri, 11/14/2008 - 12:47

Exactly what I was missing.

It shows this rule in the ASDM Rules but this ACL is clearly missing from the ACL Manager.


Kind of odd. I thought that ACE's and that defined access rules were the same thing for Dmz incoming rules. So it must be a wired error for one to exist without the other.


John

Actions

This Discussion